Password Auditing


Password policies are often the first line of defence against attackers, but are they effective? That one isn't, and it's a fair guess that someone, maybe even a developer or administrator has set that for a privileged user or system and it's never been changed.

Remember that printer that was installed in 2017? It's still there, it's on the domain and still using the default password. It is not unheard of for printers to be used as a foothold into a network.

What about that admin account that was created for a contractor that left 3 years ago?...

That isn't hyperbole. We've seen it happen and far too often. A bad password in the wrong place can trigger a cascade of events that can lead to a compromise of your entire domain without ever having to use malware.

Implementing a password policy is a good start, but it's not enough. You need to test it and understand how far your organisation is still exposed and where. That's where we come in.

We will use powerful custom hardware to attempt to crack your users passwords, typically domain credentials. From this we can provide you with a custom report detailing exposure by department, operating unit or any other grouping you require.

Additionally, we will search breached password databases to identify any credentials that have been compromised and are using the same password across multiple services. Passwords from data breaches are often analysed and used in targeted online and offline password attacks by attackers

NOTE: This service can be combined with other services such as Phishing and Open Source Intelligence (OSINT) to provide a more holistic approach to testing your security policies, controls and exposure. This service is also built into Active Directory (AD) assessments.


  • We have a number of methods we use for testing and no cleartext password will ever be exposed to public services.
  • We provide optional additional layers of hashing and encryption protection for instances where handing over of credentials conflicts with our clients security policies. This limits our ability to discern which accounts were compromised or even what the cleartext passwords are.
  • As we add layers of anonymity, the granularity of reporting may suffer a fall off. There will also be additional steps required by your own IT teams before data is handed to us.

  • Resources

    Our Mission

    To provide leading IT professional services via high quality, scalable, consistent and cost-effective penetration testing, information and cyber security assurance, risk management and analytics.

    Realize Security Ltd. |
    Company Number: 12606876